An Introduction to Installing Your First Let’s Encrypt HTTPS Certificate

The usage of https has been so far somewhat restricted on open source projects, because of the cost of acquiring and maintaining certificates. As a result of this and the need to improve Internet security, several projects are working on providing free valid certificates. Among those projects, Let’s Encrypt launched a public beta last week on December, 3 2015.

The Let’s Encrypt Approach

Let’s Encrypt is a Linux Foundation Collaborative project that started to fulfill an Electronic Frontier Foundation – EFF long-term mission to Encrypt the Web. According with EFF, the “aim is to switch hypertext from insecure HTTP to secure HTTPS. That protection is essential in order to defend Internet users against surveillance of the content of their communications; cookie theft, account hijacking and other web security flaws; cookie and ad injection; and some forms of Internet censorship.”.

There are several clients that support the ACME protocol, we chose to use letsencrypt. As we’ve just upgraded the LinuxTV server last week, I decided to pioneer the install of the Let’s Encrypt certificates.

How to Use Letsencrypt to Get an https Certificate

The first time it runs, it will install python dependencies. The script is smart enough to identify the distribution and do the right thing in most cases. I tested it on both Fedora 23 and Debian with similar results, but some distributions like SUSE might require more work:

It will then proceed to the next step of asking for the e-mail of the admin:

It then asks you to agree to the license terms, everything seemed fine to me, so I accepted it:

If Let’s Encrypt successfully detects the domains on your server, it will present you with a set of checkboxes to select the domains you want to serve over https.

If the script can’t detect the domains on the server, it will ask you to type them in, separated by a space:

NOTE: It should be noted that the script needs either root access or sudo access in order to install the needed dependencies and set up the apache server. It also needs to run on the server where the certificates will be installed. Trying to run it on a different machine would cause an error:

It then asked me if I wanted to allow both http and https or just https. I chose to allow both, but if your site communicates sensitive information like passwords or personal data, you might consider forcing all connections to use https:

After that, it created the certificate and updated the /etc/apache2 configurations for all the sites that were enabled:

Starting Using the New Certificates

That’s the most exciting part of the letsencrypt tool: the script adjusted all the configurations on my apache2 server and auto-reloaded it, so there’s no need to do anything to start using it! Ubuntu, Debian, Centos 7, and Fedora are currently the only Linux distros that support automatic configuration, other distributions will likely require manual configurations.

After running the script my apache server was running with the new certs with no downtime! Now visitors to Linux TV can now use https to access the site securely. We are currently working on implementing Let’s Encrypt on our blog and other internal resources here at the OSG. Here’s to a safer and more secure web!

Share this:

Author: Mauro Carvalho Chehab

Mauro is the maintainer of the Linux kernel media and EDAC subsystems and Tizen on Yocto. He's also a major contributor to the Reliability Availability and Serviceability (RAS) subsystems.
View all posts by Mauro Carvalho Chehab

The ACME protocol talks with the server during the authentication, in order to check if a new cert is being requested for it. So, if you want to get the certificate on some other machine, the server needs to be prepared first. I was not able to do it with the official client (letsencrypt), but I didn’t try hard. The is a “manual” mode there that is supposed to allow that. There are also some other client implementations, as mentioned at https://community.letsencrypt.org/t/list-of-client-implementations/2103, and I saw some comments of people using those other clients in order to be able to do what you want to do.